6

We are having an issue on one of our clients relatively new sbs installs.

The domain consists of a single SBS 2011 server with 4 Windows 7 clients and 3 XP clients. Most of the time everything is fine, however roughly every 3 days, Windows 7 clients start timing out when trying to receive computer group policy.

This results in hour long delays before getting to the login screen in the morning. This is accompanied by event ID 6006, win login errors stating it took 3599 seconds to process policy. Once they've booted they can log in without issue however gpupdate fails again on computer policy and gpresult comes back with access denied, even when run as domain admin... At this point if we restart the server the network is fine for 3 days.

I thought perhaps it might be ipv6 or smb2, but disabling ipv6 on the clients doesn't help and the clients can browse the sysvol folder freely on smb2 anyway. Does anyone have any ideas or routes I can take to further diagnose the issue?

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
Alex Berry
  • 2,307
  • 13
  • 23
  • 1
    If you can access SYSVOL and there are no network issues, I would be inclined to think it's some kind of security/authentication issue between the clients and the SBS server. Group Policy relies heavily on two things: SYSVOL files and AD information (OU location, group membership, etc.). Sounds like the former is fine, time to look at the latter. – tfrederick74656 Nov 12 '15 at 18:33
  • 2
    The first thing I would do is enable Group Policy logging (aka Userenv logging) on the client, wait for bootup to get slow, then look in the logs for errors. http://clintboessen.blogspot.com/2014/01/how-to-enable-group-policy-debugging-on.html If the logs still don't help you, then I would do a boot trace with XPerf: https://blogs.technet.microsoft.com/askpfeplat/2012/06/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf-and-links-you-need-to-read/ – Ryan Ries Apr 30 '16 at 17:39
  • 1
    +1 for Userenv logging. This log can be a pain to dig through due to the verbosity, but you should be able to find some clues there. I would also be wary of any software installation policies you may have published - these can easily lead to extremely long delays if there are issues with the installation. – tfrederick74656 Jun 18 '16 at 07:27
  • Sounds like a DNS problem to me. Verify *all* DNS servers on your clients and make sure that absolutely no other DNS than your DC is used anywhere. – bjoster Nov 11 '19 at 14:16
  • Thanks for the response, this issue was too long ago for me to remember what the cause was :) – Alex Berry Nov 18 '19 at 16:08

1 Answers1

0

Sounds like your domain windows are trying to contact your DC but unable to get information what they need from DC. It could be either you have corrupted profile roaming or computers are trying to map a network drive but failed.

I would do the following:

  1. Make sure SBS 2011 has all windows update installed and up to date.
  2. Since I do know have enough information on the structure of group policies you have in your DC I am unable to provide exact resolution but I would disable group policy one by one then do the gpupdate on domain PCs then check the result via eventviewer. If you have policy for profile roaming or network drive mapping on your computer container, remove one from the container and see what happens.
  3. Check there is no duplicated IP address assigned to your PC. I assume you have fixed IP address on your all domain PCs as well as your DNS.
  4. Rejoin your domain PCs.
PaddyKim
  • 126
  • 2